[keycloak-user] Access Forbidden

Sat Apr 6 13:41:23 EDT 2019

Upgrading to 5.0.0 doesn't resolve the issue. I reduced the roles on the
users group to `manage-users` and its' members forbidden access on the
Security Admin Console.
--
*Aaron Echols*
Systems Architect (IT)
Benjamin Franklin Charter School | IT
Email: aechols at bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
IT Website: https://it.bfcsaz.com
Support Email: techsupport at bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com

<https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>

*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.

On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
> to query this :)
>
> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Ok, so further testing shows:
>>
>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>> does allow them to login to the Security Console, applying `manage-users`
>> role lets them reset passwords. This isn't a good solution though, since
>> they get access to settings that they shouldn't be able to access.
>>
>> Seems like the role got broken during the upgrade possibly. Is there a way
>> to reset or reinstall a role?
>> --
>> *Aaron Echols*
>>
>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>> > Hello All,
>> >
>> > I was running 4.1.0.Final and decided to upgrade this week to
>> 4.8.3.Final.
>> > I'm running into an issue where we set a group up with the
>> `manage-users`
>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>> login
>> > and reset passwords for users successfully in the realm they are in.
>> >
>> > Now when they attempt to access the Security Admin Console under
>> > Applications in their profile, they get the following message on the
>> user
>> > side:
>> >
>> > Forbidden
>> > You don't have access to the requested resource.
>> >
>> > All I see in the Events log:
>> >
>> > LOGIN
>> > Client: security-admin-console
>> > User: <identifier>
>> > IP Address: <local-ip>
>> > Details:
>> > auth_method: openid-connect
>> > auth_type: code
>> > response_type: code
>> > redirect_uri: /auth/admin/realm/console/
>> > consent: no_consent_required
>> > code_id: <code-id>
>> > response_mode: fragment
>> > username: <username>
>> >
>> > CODE_TO_TOKEN
>> > Client: security-admin-console
>> > User: <identifier>
>> > Details:
>> > token_id: <token-id>
>> > grant_type: authorization_code
>> > refresh_token_type: refresh
>> > scope: openid
>> > refresh_token_id: <refresh-token-id>
>> > code_id: <code-id>
>> > client_auth_method: client-secret
>> >
>> > I've verified that they have the proper roles assigned, why isn't this
>> > working now and anyone have any help to be able to troubleshoot?
>> >
>> > Thanks in advance for any help or recommendations. :)
>> > --
>> > *Aaron Echols*
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>